Table splitting for cryptographic processes
First Claim
1. A computing device implemented method to resist power analysis attacks on a computing device by executing cryptographic steps based on a defined cryptographic process, the defined cryptographic process accepting an input, generating an output, and utilizing one or more originally-defined substitution tables, the method comprising a processor of the computing device in communication with a memory for executing the steps of:
- a) defining n sets of random value data words r1(x) . . . rn(x), each data word having bits with defined bit locations, each set of random value data words comprising data word entries such that data words r1[x], . . . rn[x] correspond to entry S[x] in the original substitution table,b) defining a mask value,c) generating a set of split, masked tables by, for each entry S[x],i) masking the data word S[x] with corresponding data words r1[x], . . . , rn[x] in the set of random values to define a masked data word having bits with defined bit locations,ii) masking the mask value with a selected value r1[x] of the corresponding set of random values to define a randomized mask data word for S[x], having bits with defined bit locations, andiii) generating each of the entries in a split, masked table by selecting bits from the masked data word, the randomized mask data word and, where the size n of the set of random values is 2 or more, the random value data words in the set other than the selected value r1[x], whereby each selected bit used to define each split masked table entry is selected from a correspondingly defined bit-location in its original data word, each of the bits in the entry in the split masked substitution table being defined in accordance with a pre-selected pattern.
4 Assignments
0 Petitions
Accused Products
Abstract
For a defined cryptographic process including an original substitution table, split masked substitution tables are provided to resist cryptographic attacks. The split masked substitution tables are defined with reference to a set of random value data words and a mask value. An entry in the split masked substitution tables is defined by selecting bits from the corresponding entry in the original masked substitution table, as masked by the corresponding one of the set of random value data words and by selecting bits from the corresponding one of the set of random value data words as masked by the mask value. The split masked substitution tables are usable in a modified cryptographic process based on the defined cryptographic process to permit a masked output to be generated. The split masked substitution tables are refreshed by each entry in the tables being refreshed upon access during execution of the modified cryptographic process.
23 Citations
6 Claims
-
1. A computing device implemented method to resist power analysis attacks on a computing device by executing cryptographic steps based on a defined cryptographic process, the defined cryptographic process accepting an input, generating an output, and utilizing one or more originally-defined substitution tables, the method comprising a processor of the computing device in communication with a memory for executing the steps of:
-
a) defining n sets of random value data words r1(x) . . . rn(x), each data word having bits with defined bit locations, each set of random value data words comprising data word entries such that data words r1[x], . . . rn[x] correspond to entry S[x] in the original substitution table, b) defining a mask value, c) generating a set of split, masked tables by, for each entry S[x], i) masking the data word S[x] with corresponding data words r1[x], . . . , rn[x] in the set of random values to define a masked data word having bits with defined bit locations, ii) masking the mask value with a selected value r1[x] of the corresponding set of random values to define a randomized mask data word for S[x], having bits with defined bit locations, and iii) generating each of the entries in a split, masked table by selecting bits from the masked data word, the randomized mask data word and, where the size n of the set of random values is 2 or more, the random value data words in the set other than the selected value r1[x], whereby each selected bit used to define each split masked table entry is selected from a correspondingly defined bit-location in its original data word, each of the bits in the entry in the split masked substitution table being defined in accordance with a pre-selected pattern. - View Dependent Claims (2, 3)
-
-
4. A computing-device program product for implementing a method to resist power analysis attacks on a computing device by executing cryptographic steps based on a defined cryptographic process, the defined cryptographic process accepting an input, generating an output, and utilizing one or more originally-defined substitution tables, the program product comprising program code embodied in a non-transitory program product storage media for execution by a processor of the device for implementing the method of:
-
a) defining n sets of random value data words r1(x) . . . rn(x), each data word having bits with defined bit locations, each set of random value data words comprising data word entries such that data words r1[x], . . . rn[x] correspond to entry S[x] in the original substitution table, b) defining a mask value, c) generating a set of split, masked tables by, for each entry S[x], i) masking the data word S[x] with corresponding data words r1[x], . . . , rn[x] in the set of random values to define a masked data word having bits with defined bit locations, ii) masking the mask value with a selected value r1[x] of the corresponding set of random values to define a randomized mask data word for S[x], having bits with defined bit locations, and iii) generating each of the entries in a split, masked table by selecting bits from the masked data word, the randomized mask data word and, where the size n of the set of random values is 2 or more, the random value data words in the set other than the selected value r1[x], whereby each selected bit used to define each split, masked table entry is selected from a correspondingly defined bit-location in its original data word, each of the bits in the entry in the split, masked substitution table being defined in accordance with a pre-selected pattern.
-
-
5. A computing device operative to resist power analysis attacks by executing cryptographic steps based on a defined cryptographic process, the defined cryptographic process accepting an input, generating an output, and utilizing one or more originally-defined substitution tables, the computing device including a processor in communication with a memory for executing the cryptographic operation, the device operative to:
-
a) define a mask value, b) generate a set of split, masked substitution tables corresponding to each of the one or more substitution tables, by, for each entry in each of the one or more substitution tables, masking the substitution table entry with one or more corresponding random values, masking a one of the corresponding random values with the mask value and, distributing the masked substitution table entry, the masked corresponding random value and any remaining corresponding random values not masked by the mask value across the set of split, masked substitution tables corresponding to substitution table entry'"'"'s substitution table; and
,c) store the sets of split, masked substitution tables for use in the cryptographic process.
-
-
6. A data processing system or network comprising at least one computing device for implementing a method to resist power analysis attacks on the computing device by executing cryptographic steps based on a defined cryptographic process, the defined cryptographic process accepting an input, generating an output, and utilizing one or more originally-defined substitution tables, the computing device including a processor in communication with a memory for executing the cryptographic operation, the device operative to:
-
a) define a mask value, b) generate a set of split, masked substitution tables corresponding to each of the one or more substitution tables, by, for each entry in each of the one or more substitution tables, masking the substitution table entry with one or more corresponding random values, masking a one of the corresponding random values with the mask value and, distributing the masked substitution table entry, the masked corresponding random value and any remaining corresponding random values not masked by the mask value across the set of split, masked substitution tables corresponding to substitution table entry'"'"'s substitution table; and
,c) storing the sets of split, masked substitution tables for use in the cryptographic process.
-
Specification